AWS
3 article
Set up AWS
Last Updated: October 1, 2021App Creation in SecurEnds Tool In the Admin Console, go to Applications. Click the Add button next to it to begin configuration. Setup Application Select Data Ingestion method as Connector. Enter application Name. Enter the Application Owner email information. Search Connector in Featured Integrations and select AWS. Agent is software that needs to be installed on your on premise environment to pull data from applications such as Active Directory, Database and Custom Applications which are not cloud based. Select remote if you already have the Agent Software installed The server where the agent is currently installed needs to have connectivity to the on-premises application or database. If a new agent is required, contact your implementation consultant or submit a ticket via the SecurEnds Help Desk using the Report Issue link in the upper right corner of the SecurEnds application. SecurEnds will need to provide files and instructions. Select local if the application is cloud based. No agent install is required. You will need to whitelist the SecurEnds IP’s. Your Implementation Consultant can provide these. Select Match By logic as Default(Email or FirstName and LastName) or Employee Id If we select Default(Email or FirstName and LastName) the system will match the user with Email or First Name and Last Name while syncing If we select Employee Id the system will only match the Employee ID while syncing Select Include Inactive Users to fetch all users while sync If we select Yes all the Active status users along with Disabled status users will be added in the Matched users for AWS. If we select No then only Active user will be added to the Matched users for AWS. Include Entitlements Enabled as Yes to load the entitlements on application while syncing. Configure Application Enter the below information gathered from Configuration Details. Provide the AWS Access Key. Provide the AWS Secret Key. Ticketing System Configuration For more information on Ticketing System Configuration, Click here. Click Save once finished to add the connector.
Configuration Details
Last Updated: October 18, 2021Please note, the following steps walk through an example use case and the information that will need to be saved will be specific to your application. Steps to Gather AWS Credentials To setup the connector between SecurEnds and AWS, you will need to create a Policy, Users, and add them both to a created Group. IMPORTANT: The AWS admin who is setting up the SecurEnds service account on the AWS side will need to have correct permissions. The AWS admin will also need all the permissions to that service account so SecurEnds can pull all the required details. If any of the two above points are missing, the SecurEnds connector will pull only the entitlements and users which the admin is entitled to. Step 1: Create a Policy Login to your instance of AWS Select Identity and Access Management (IAM) > Access management > Policies Select Create policy and add the following options to the policy: Service Select IAM Actions Select List and Read Resources Select ALL resources Step 2: Create a Group Select Identity and Access Management (IAM) > Access management > Groups Select Create New Group Give a Group name and select Next Step Select the Policy created in Step 1 and select Next Step Review and select Create Group Step 3: Create and Add User to a Group Select Identity and Access Management (IAM) > Access management > Users Select Add user Give a Group Name and select Next Permissions Select Add user to group, then select the created Group from Step 2, and select Next: Tags If needed, add tags to the user group Select Next: Review to skip or move on to the next step Note: this step is optional and not required for setup Review and select Create user Download the .csv file Copy/Save the Access Key and Secret Key for use when setting up the application within SecurEnds Note, this is the only opportunity to view and save the token
AWS Multi Account Set up
Last Updated: July 9, 2021Step 1: Follow the below URL to setup the AWS user for SecurEnds data import. https://www.securends.com/documentation/configure-aws/ Step 2: Above step (step 1) is intended to pull the AWS IAM information for single/specific account. However, to work with multi-account (cross-account) scenario, a different approach is required through assume role (STS). Step 3: Select one of the multi account and create a custom policy named “SecureEndsCEM-Policy” The “SecureEndsCEM-Policy” must contain the below permissions. Step 4: Now, create a new role (assume role) and specify a name E.g., SecureEndsCEM Attach the custom policy “SecureEndsCEM-Policy” that was created in the step 3 to the “SecureEndsCEM “ role. Note: Repeat the policy and “assume role” creation process for all the different accounts that were intended to be used by Securends Step 5: Add the Trust relationship to the STS role. The trust account is the one from which the role is assumed/assigned. Step 6: Go to the source account (Securends will use the user from this account to pull the IAM data) and create a custom policy same as specified in the step 3. Step 7: Now, go to the user who is created as part of step 1. Go to “Permissions” tab, click on “Add permissions” and attach the custom policy that was created as part of Step 6. Note: Permissions can be assigned through groups as well. But for now, we are using direct permissions using the policy. Step 8: Attach the STS policy (this is new policy) to the new user and mention the assume role ARN of target accounts in the policy (multiple ARN accounts can also be added through resource in the STS policy). Click on Create policy by providing the name as “SecureEndsCEM-STS-Policy”. After the STS policy is created attach the STS policy to the user Step 8: Now the user account is setup with the assume role feature to access multiple accounts. Securends can use this assume role and can pull the multi account data using Securends AWS setup credentials https://www.securends.com/documentation/set-up-aws/ Recommended Policies from SecurEnds: { “Version”: “2012-10-17”, “Statement”: [ { “Sid”: “securends-cem-id”, “Effect”: “Allow”, “Action”: [ “iam:GetPolicyVersion”, “iam:CreateUser”, “iam:AddUserToGroup”, “iam:RemoveUserFromGroup”, “iam:ListAttachedRolePolicies”, “iam:ListAttachedUserPolicies”, “iam:ListAttachedGroupPolicies”, “iam:ListRolePolicies”, “iam:DetachUserPolicy”, “iam:ListPolicies”, “iam:GetPolicy”, “iam:ListGroupPolicies”, “iam:UpdateUser”, “iam:ListEntitiesForPolicy”, “iam:DeleteUserPolicy”, “iam:AttachUserPolicy”, “iam:ListRoles”, “iam:DeleteUser”, “iam:ListUserPolicies”, “iam:ListPolicyVersions”, “iam:GetUserPolicy”, “iam:ListGroupsForUser”, “iam:PutUserPolicy”, “iam:ListUsers”, “iam:ListGroups”, “iam:GetUser” ], “Resource”: “*” } ] }
